Fortigate firewall syslog

[Khem Raj Bhatta]

Hello everyone,

I am stuck in a situation and need yourall guidance. I am using wazuh version 4.0.4.

I wanted to receive the syslog of fortigate firewall using wazuh and i did send the log to the port 514 udp and I did receive the log in the archives.log file but i am not receiving any logs in the discover section of the wazuh indices. 

I did tried to trigger rule number 4 that is login failure but i didnt receive that in the wazuh alert dashboard however i did receive that in my archives.log file.

Any suggestion?

[Julia Magán Rodríguez]

Hello,

If you are receiving the event in /var/ossec/logs/archives/archives.log but no alert is triggered, it may be that there is no specific decoder or rule for those events and you will have to create custom ones. Could you share with me the events you are receiving in archives.log?

​

[Khem Raj Bhatta]

vairav

---------- Forwarded message ---------
From: Khem Raj Bhatta <khem....@vairav.net>
Date: Mon, 20 Jun 2022, 6:15 pm
Subject: Re: Fortigate firewall syslog
To: Julia Magán Rodríguez <julia...@wazuh.com>

Hi Julia,

Thank you for responding so quickly. I am triggering the rules that are already present in the decoder like as I said rule 4 where I have tried to authenticate with a fake user and tried multiple time. Tried to connect with VPN with multiple failure attempts. Still I was unable to trigger alerts. Is there any issue in the configuration? Can you suggest what I should do to trigger alerts ? Is there a simple way I can trigger a log. I am afraid I won't be able to share the log of the firewall but I am receiving the logs in the archives.log file.

Thank You,

Warm Regards,

Khem Raj Bhatta SIEM Engineer phone: +97714441540 mobile: 9829477950

Baluwatar, Kathmandu Nepal vairav.net

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/61c1f63d-e75e-4828-bdd9-c97a55b45246n%40googlegroups.com.

[Julia Magán Rodríguez]

Hello,

If you can’t share with me the archives.log log, you can test it yourself using wazuh-logtest. To do this, you will need to take the log from archives.log, remove the header from it and insert it into wazuh-logtest. That is, if our log is:

2022 Jun 21 15:27:42 NoName->/tmp/test.log Jun 14 12:00:29 NoName login failure for user admin from 192.168.0.204 via winbox

The log we should test is:

Jun 14 12:00:29 NoName login failure for user admin from 192.168.0.204 via winbox

To test it, we run /var/ossec/bin/wazuh-logtest and enter the log:

[root@localhost vagrant]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.3.0
Type one log per line

Jun 14 12:00:29 NoName login failure for user admin from 192.168.0.204 via winbox

**Phase 1: Completed pre-decoding.
    full event: 'Jun 14 12:00:29 NoName login failure for user admin from 192.168.0.204 via winbox'
    timestamp: 'Jun 14 12:00:29'
    hostname: 'NoName'

**Phase 2: Completed decoding.
    No decoder matched.

**Phase 3: Completed filtering (rules).
    id: '2501'
    level: '5
    description: 'syslog: User authentication failure.'
    groups: '['syslog', 'access_control', 'authentication_failed']'
    firedtimes: '4'
    gdpr: '['IV_35.7.7.d', 'IV_32.2']''
    gpg13: '['7.8']''
    hipaa: '['164.312.b']''
    mail: 'True'
    nist_800_53: '['AU.14', 'AC.7']''
    pci_dss: '['10.2.4', '10.2.5']''
    tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']''
**Alert to be generated.

This way we can see if the event is being decoded correctly, what information is being extracted and if an alert should be triggered.

You can see more info about wazuh-logtest here.

​